feat: set up colmena with hetzner stuff

deploy/README.md

@@ -0,0 +1,9 @@
+# `colmena` deployments
+
+* tags: `local`, `cloud`
+* deployments can be made from `astyanax` and `andromache` hosts
+
+## References
+
+- [docs: `colmena`](https://colmena.cli.rs/)
+- [repo: `colmena`](https://github.com/zhaofengli/colmena)

deploy/colmena.nix

@@ -0,0 +1,28 @@
+{
+  self,
+  inputs,
+}:
+
+inputs.colmena.lib.makeHive {
+  meta = {
+    nixpkgs = import inputs.nixpkgs {
+      system = "x86_64-linux";
+    };
+
+    nodeNixpkgs = builtins.mapAttrs (_: v: v.pkgs) self.nixosConfigurations;
+    nodeSpecialArgs = builtins.mapAttrs (_: v: v._module.specialArgs or { }) self.nixosConfigurations;
+  };
+
+  astyanax.deployment.tags = [ "local" ];
+
+  andromache.deployment.tags = [ "local" ];
+
+  vm.deployment.tags = [ "local" ];
+
+  hecuba.deployment = {
+    targetHost = "hecuba";
+    targetUser = "username";
+    targetPort = 22;
+    tags = [ "cloud" ];
+  };
+}

dots/.config/nvim/flake.lock

@@ -42,11 +42,11 @@
     },
     "nixCats": {
       "locked": {
-        "lastModified": 1767604651,
+        "lastModified": 1769085828,
-        "narHash": "sha256-itAnxzTpWpY1s3LA/oNngOuZDXT5U5JUZP5fApwx9gs=",
+        "narHash": "sha256-TjhFIAtS628+/r3IuYWPcNa++mUMMDDG8PbSfFHXBiA=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "3c9bc4d7123e1b48d92f25ba505b889af541e897",
+        "rev": "43fbf4d12b0a613f1a792503da4bb2bf270173c7",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1768302833,
+        "lastModified": 1768875095,
-        "narHash": "sha256-h5bRFy9bco+8QcK7rGoOiqMxMbmn21moTACofNLRMP4=",
+        "narHash": "sha256-dYP3DjiL7oIiiq3H65tGIXXIT1Waiadmv93JS0sS+8A=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "61db79b0c6b838d9894923920b612048e1201926",
+        "rev": "ed142ab1b3a092c4d149245d0c4126a5d7ea00b0",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
     "plugins-helm-ls-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1761915179,
+        "lastModified": 1768584652,
-        "narHash": "sha256-W9NRa84l5Cs62OsDeqb+LMxk8oYjhVBCB3o3UmE9a0I=",
+        "narHash": "sha256-jnMc87OjURNcqsva0npYgVyUrWc5C6L7yHpNvt9eSmg=",
         "owner": "qvalentin",
         "repo": "helm-ls.nvim",
-        "rev": "d6f3a8d4ad59b4f54cd734267dfb5411679ea608",
+        "rev": "f0b9a1723890971a6d84890b50dbf5f40974ea1b",
         "type": "github"
       },
       "original": {
@@ -138,11 +138,11 @@
     "plugins-mcphub-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1765628564,
+        "lastModified": 1768730387,
-        "narHash": "sha256-nvWqCGRKhbUHsAM/zd+cwFdcoXXxf6EmcCkpN4mElf4=",
+        "narHash": "sha256-g9tPvjThz6EUk7zcY7lL+YH4lrT4x3FJ6jrNMHA8PAE=",
         "owner": "ravitemer",
         "repo": "mcphub.nvim",
-        "rev": "5193329d510a68f1f5bf189960642c925c177a3a",
+        "rev": "7cd5db330f41b7bae02b2d6202218a061c3ebc1f",
         "type": "github"
       },
       "original": {

dots/.config/nvim/flake.nix

@@ -135,7 +135,7 @@
               zenbones-nvim
               nvim-treesitter.withAllGrammars
               nvim-treesitter-textobjects
-              nvim-treesitter-context
+              # nvim-treesitter-context
               nvim-ts-context-commentstring
               treesj
               sniprun

flake.lock

@@ -1,5 +1,29 @@
 {
   "nodes": {
+    "colmena": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "stable": "stable"
+      },
+      "locked": {
+        "lastModified": 1762034856,
+        "narHash": "sha256-QVey3iP3UEoiFVXgypyjTvCrsIlA4ecx6Acaz5C8/PQ=",
+        "owner": "zhaofengli",
+        "repo": "colmena",
+        "rev": "349b035a5027f23d88eeb3bc41085d7ee29f18ed",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "colmena",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746728054,
+        "lastModified": 1768920986,
-        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
+        "narHash": "sha256-CNzzBsRhq7gg4BMBuTDObiWDH/rFYHEuDRVOwCcwXw4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "ff442f5d1425feb86344c028298548024f21256d",
+        "rev": "de5708739256238fb912c62f03988815db89ec9a",
         "type": "github"
       },
       "original": {
@@ -29,11 +53,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1768709017,
+        "lastModified": 1769054619,
-        "narHash": "sha256-/Xc5B/+6nbX24iSaPbN/+wiVqGS50/LS4y53tzTvN0o=",
+        "narHash": "sha256-LCc0gbSgjehdy41Gi1H5WNxEuW9PtRHFVaPXoFzslQU=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "5728e3d62c3af09445cb013e304d627f6589efc4",
+        "rev": "6509620630f68dc02ac3e99f15a67760778444ff",
         "type": "gitlab"
       },
       "original": {
@@ -43,6 +67,22 @@
         "type": "gitlab"
       }
     },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -66,6 +106,21 @@
       }
     },
     "flake-utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
       "inputs": {
         "systems": "systems"
       },
@@ -90,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768707181,
+        "lastModified": 1769102673,
-        "narHash": "sha256-GdwFfnwdUgABFpc4sAmX7GYx8eQs6cEjOPo6nBJ0YaI=",
+        "narHash": "sha256-/qvRFjn1s3bIJdSKG6IpaE6ML3j9anQKUqGhmt4Qe+E=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "83bcb17377f0242376a327e742e9404e9a528647",
+        "rev": "b0491fe55680bd19be8e74847969dad9d7784658",
         "type": "github"
       },
       "original": {
@@ -122,13 +177,34 @@
         "type": "github"
       }
     },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "colmena",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1768726358,
+        "lastModified": 1768769813,
-        "narHash": "sha256-OFD8qqNfGnLnL+15Hpzl6jhuzb4KVuVNz0zfPBz8lyo=",
+        "narHash": "sha256-3ft3BnwlJyrqfJKlXj4px3oIh5feLEJZ2iOEg8kErRc=",
         "ref": "main",
-        "rev": "84db870708bb281edf24f626d1e105e8a8ea0b3f",
+        "rev": "af4d568e01b6b5ccf8cc1262886ebea63b2010f2",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/hektor/nix-secrets"
@@ -142,11 +218,11 @@
     },
     "nixCats": {
       "locked": {
-        "lastModified": 1767604651,
+        "lastModified": 1769085828,
-        "narHash": "sha256-itAnxzTpWpY1s3LA/oNngOuZDXT5U5JUZP5fApwx9gs=",
+        "narHash": "sha256-TjhFIAtS628+/r3IuYWPcNa++mUMMDDG8PbSfFHXBiA=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "3c9bc4d7123e1b48d92f25ba505b889af541e897",
+        "rev": "43fbf4d12b0a613f1a792503da4bb2bf270173c7",
         "type": "github"
       },
       "original": {
@@ -157,7 +233,7 @@
     },
     "nixgl": {
       "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -178,11 +254,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1768584846,
+        "lastModified": 1769086393,
-        "narHash": "sha256-IRPmIOV2tPwxbhP/I9M5AmwhTC0lMPtoPStC+8T6xl0=",
+        "narHash": "sha256-3ymIZ8s3+hu7sDl/Y48o6bwMxorfKrmn97KuWiw1vjY=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "cce68f4a54fa4e3d633358364477f5cc1d782440",
+        "rev": "9f7ba891ea5fc3ededd7804f1a23fafadbcb26ca",
         "type": "github"
       },
       "original": {
@@ -194,11 +270,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768564909,
+        "lastModified": 1769018530,
-        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
+        "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
+        "rev": "88d3861acdd3d2f0e361767018218e51810df8a1",
         "type": "github"
       },
       "original": {
@@ -268,11 +344,11 @@
     "plugins-helm-ls-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1761915179,
+        "lastModified": 1768584652,
-        "narHash": "sha256-W9NRa84l5Cs62OsDeqb+LMxk8oYjhVBCB3o3UmE9a0I=",
+        "narHash": "sha256-jnMc87OjURNcqsva0npYgVyUrWc5C6L7yHpNvt9eSmg=",
         "owner": "qvalentin",
         "repo": "helm-ls.nvim",
-        "rev": "d6f3a8d4ad59b4f54cd734267dfb5411679ea608",
+        "rev": "f0b9a1723890971a6d84890b50dbf5f40974ea1b",
         "type": "github"
       },
       "original": {
@@ -300,11 +376,11 @@
     "plugins-mcphub-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1765628564,
+        "lastModified": 1768730387,
-        "narHash": "sha256-nvWqCGRKhbUHsAM/zd+cwFdcoXXxf6EmcCkpN4mElf4=",
+        "narHash": "sha256-g9tPvjThz6EUk7zcY7lL+YH4lrT4x3FJ6jrNMHA8PAE=",
         "owner": "ravitemer",
         "repo": "mcphub.nvim",
-        "rev": "5193329d510a68f1f5bf189960642c925c177a3a",
+        "rev": "7cd5db330f41b7bae02b2d6202218a061c3ebc1f",
         "type": "github"
       },
       "original": {
@@ -363,6 +439,7 @@
     },
     "root": {
       "inputs": {
+        "colmena": "colmena",
         "disko": "disko",
         "firefox-addons": "firefox-addons",
         "home-manager": "home-manager",
@@ -381,11 +458,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768709255,
+        "lastModified": 1768863606,
-        "narHash": "sha256-aigyBfxI20FRtqajVMYXHtj5gHXENY2gLAXEhfJ8/WM=",
+        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5e8fae80726b66e9fec023d21cd3b3e638597aa9",
+        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
         "type": "github"
       },
       "original": {
@@ -394,6 +471,22 @@
         "type": "github"
       }
     },
+    "stable": {
+      "locked": {
+        "lastModified": 1750133334,
+        "narHash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "36ab78dab7da2e4e27911007033713bab534187b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -34,6 +34,10 @@
       url = "path:./dots/.config/nvim";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    colmena = {
+      url = "github:zhaofengli/colmena";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
@@ -48,6 +52,7 @@
       nixgl,
       firefox-addons,
       nvim,
+      colmena,
     }@inputs:
     let
       inherit (self) outputs;
@@ -82,5 +87,12 @@
           };
         };
       };
+
+      colmenaHive = import ./deploy/colmena.nix {
+        inherit
+          self
+          inputs
+          ;
+      };
     };
 }

home/hosts/andromache/default.nix

@@ -13,7 +13,7 @@ in
   imports = [
     ../../modules/desktop/niri
     ../../modules/git.nix
-    ../../modules/hetzner
+    # ../../modules/hetzner.nix
     ../../modules/k9s.nix
     ../../modules/kitty.nix
     ../../modules/ssh.nix

home/hosts/astyanax/default.nix

@@ -13,7 +13,7 @@ in
     ../../modules/anki.nix
     ../../modules/desktop/niri
     ../../modules/git.nix
-    ../../modules/hetzner
+    # ../../modules/hetzner.nix
     ../../modules/k9s.nix
     ../../modules/kitty.nix
     ../../modules/ssh.nix

home/hosts/packages.nix

@@ -15,6 +15,7 @@ with pkgs;
   nixfmt-rfc-style
   nmap
   nodejs_24
+  opencode
   nvimpager
   pandoc
   parallel

home/modules/hcloud/default.nix

@@ -1,5 +1,4 @@
 {
-  config,
   lib,
   osConfig ? null,
   ...
@@ -10,7 +9,8 @@ let
 in
 {
   config = {
-    warnings = lib.optional (!isNixOS)
+    warnings =
+      lib.optional (!isNixOS)
         "hcloud module requires NixOS host configuration. This module will not work with standalone home-manager.";
   };
 }

hosts/andromache/default.nix

@@ -51,6 +51,8 @@ in
   secrets.username = username;
   docker.user = username;
 
+  nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_andromache.path ];
+
   disko.devices = {
     disk.data = {
       type = "disk";

hosts/astyanax/default.nix

@@ -53,6 +53,8 @@ in
   secrets.username = username;
   docker.user = username;
 
+  nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ];
+
   hardware = {
     cpu.intel.updateMicrocode = true;
     # https://wiki.nixos.org/wiki/Intel_Graphics

hosts/hecuba/default.nix

@@ -18,11 +18,17 @@ in
     ../../modules/common
     ./hard.nix
     ../../modules/ssh/hardened-openssh.nix
+    ../../modules/docker
   ];
 
   networking.hostName = hostName;
   ssh.username = username;
-  ssh.authorizedHosts = [ "andromache" ];
+  ssh.authorizedHosts = [
+    "andromache"
+    "astyanax"
+  ];
+
+  docker.user = username;
 
   fileSystems."/" = {
     device = "/dev/disk/by-label/nixos";
@@ -51,7 +57,13 @@ in
 
   security.sudo.wheelNeedsPassword = false;
 
-  networking.firewall.enable = true;
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+    ];
+  };
 
   environment.systemPackages = with pkgs; [
     vim
@@ -67,4 +79,15 @@ in
     enable = true;
     harden = true;
   };
+
+  nix.settings = {
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "astyanax:JY2qJkZUFSax47R3c1nq53AZ8GnLfNqz6mSnJ60cLZ4="
+      "andromache:XM4VLrEw63RB/3v/56OxzH/Yw+kKXKMBLKCb7UGAXzo="
+    ];
+    auto-optimise-store = true;
+    keep-derivations = false;
+    keep-outputs = false;
+  };
 }

hosts/hecuba/ssh_host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIffzYkin2QHGoaOKXbQv6pbim8SU1J+3vAf2vXerMj root@nixos

modules/desktops/niri/default.nix

@@ -1,11 +1,11 @@
-{ pkgs, ... }:
-
 {
   programs.niri.enable = true;
 
   services.dbus.enable = true;
   services.logind.settings.Login = {
     HandleLidSwitch = "suspend";
+    IdleAction = "suspend";
+    IdleActionSec = 1800;
   };
 
   services.displayManager.ly = {

modules/secrets/default.nix

@@ -29,6 +29,9 @@ in
         "anki_sync_user".owner = config.users.users.${cfg.username}.name;
         "anki_sync_key".owner = config.users.users.${cfg.username}.name;
         "hcloud".owner = config.users.users.${cfg.username}.name;
+        "nix_signing_key_astyanax" = { };
+        "nix_signing_key_andromache" = { };
+        "opencode_api_key".owner = config.users.users.${cfg.username}.name;
       };
 
       templates."taskrc.d/sync" = {
@@ -69,6 +72,19 @@ in
             token = "${config.sops.placeholder."hcloud"}"
         '';
       };
+
+      templates."opencode/auth.json" = {
+        owner = config.users.users.${cfg.username}.name;
+        path = "/home/${cfg.username}/.local/share/opencode/auth.json";
+        content = ''
+          {
+            "zai-coding-plan": {
+              "type": "api",
+              "key": "${config.sops.placeholder."opencode_api_key"}"
+            }
+          }
+        '';
+      };
     };
   };
 }